Target IP: 10.10.115.224
Can you find your way into the Valley?
There are three TCP ports open on the target machine: SSH, HTTP, and FTP.
Port 80:HTTP
The webpage above is displayed for this application. There are two buttons on this page: View Gallery and View Pricing. Clicking on either button will redirect to another HTML page.
While performing a directory search using feroxbuster with the command feroxbuster -u http://10.10.115.224/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt,py,php,sh -d 2, I found an interesting page, as shown above. There is another directory called /static/ which is empty.
The note.txt contains the message above. There are two potential usernames: J and RP. The message mentions there are notes on the website. But performing a directory search did not point to anything.
However, performing a directory search on /static using the command gobuster dir -u http://10.10.115.224/static -w /usr/share/wordlists/dirb/big.txt shows the interesting result above. Judging by the size of the responses, the /00 could be a webpage and others are pictures.
And it is. The /00 contains the message above. The directory /dev1243224123123 sounds interesting.
The directory /dev1243224123123 contains the login webpage above. I sprayed default credentials, such as admin:admin, but it did not work. Viewing the source-code of this page shows critical information.
The dev.js JavaScript file contains the hardcoded username and password for the login page.
I used the credentials from the JavaScript file to gain access to the login page. After logging in, the note above is displayed. The note mentions the reuse of same credentials. Maybe I can spray siemDev:california against FTP?
Port 37370: FTP
I used the same credentials to gain access to the FTP application on the higher port. There are three Wireshark capture files. I downloaded all three on my local machine for inspection.
After performing forensics on the three Wireshark capture files, I found something interesting on the third file. This file contains the username and password.
After spraying the credential I found in the Wireshark capture file against the SSH application, I gained a foothold on the target machine.
There is a user I encountered earlier called siemdev. Using the credential california, I gained access as this user.
There is an interesting cronjob here.
I do not have write permission over this Python file. However, it does use the base64 module. Maybe I can perform library hijacking here.
I transferred pspy64 to the target machine and ran it. It looks like the script does get run.
I will need access to a user who is a group of valleyAdmin to change contents of the base64.py module.
From previous enumeration, I did find an interesting file called valleyAuthenticator. However, I was unable to perform forensics on it as the target machine does not have strings installed on it. I transferred this file to my machine using nc.
Running strings on this file shows interesting MD5 numbers before the welcome message is displayed.
Running the hashcode I obtained at crackstation outputs the password liberty123. And spraying this password against the user valley grants me access.
Now I can edit the base64.py module.
I injected the Python reverse shell code inside the module (as shown above) and gained a root reverse shell connection on port 8443 on my local machine. GG.
The user.txt flag once I gained a foothold on the target machine.
The root.txt flag once I used Python library hijacking to perform PE to root.